AMENDMENTS TO THE SPECIFICATION 



Please replace the paragraph beginning on page 1, line 10, with the following rewritten 
paragraph: 

-This application is related to co-pending U.S. Patent Application No. 09/615,676 

(Attorney Doclcot No. RECOP005) entitled SYSTEM AND METHOD FOR 
TRACKING THE SOURCE OF A COMPUTER ATTACK filed concurrently herewith, which 
is incorporated herein by reference for all purposes; and co-pending U. S. Patent Application No. 
09/615,888 (Attomoy Doclcot No. RECOP009) entitled SYSTEM AND 

METHOD FOR DYNAMICALLY CHANGING A COMPUTER PORT OR ADDRESS filed 
concurrently herewith, which is incorporated herein by reference for all purposes; and co- 
pending U. S. Patent Application No. 09/616,803 (Attorn e y Dock e t No. RECOPOlO) 
entitled SYSTEM AND METHOD FOR QUICKLY AUTHENTICATING MESSSAGES 
USING SEQUENCE NUMBERS filed concurrently herewith, which is incorporated herein by 
reference for all purposes. - 

Please replace the paragraph beginning on page 12, line 13, with the following rewritten 
paragraph: 

-In the example illustrated in Figure 1, the edge router 1 16 is connected to core router 
120a which cor e router is located in the same physical location 1 14 as the edge router 116. It is 
also possible for edge router 1 16 to connect to a core router that is located in a different physical 
location than the core router 120a. It is also possible in certain networks for the edge router to 
also serve as the core router and to directly permit connections between network elements served 
by the router and external networks such as the Internet. This disclosure is applicable equally to 
networks configured in the manner described above as well as to other variations and 
configurations known in the art.- 

Please replace the paragraph beginning on page 28, line 3, with the following rewritten 
paragraph: 

-In this manner, multiple copies of the same suspicious message, such as may be the case 
with events A, B, and C in the queue associated with row 0 and column 1, could not successfiiUy 
be used by an attacker to mask firom detection a potentially more threatening suspicious message. 
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such as one associated with event F in the queue associated with row 0, column 4, by requiring 
the system to process multiple copies of the same message before being able to process the more 
threatening message. Because of the way in which the row and column addresses are calculated, 
multiple copies of the same message would be placed in the same queue because the hash of the 
total message and the hash of the destination address would be the same for each message. 
Similarly, different messages sent to the same destination may appear in different columns, but 
would be in the same row, because they would have the same destination address, which 
determines the row address. For example, in the example shown in Figure 6, event A, B, and C 
may be the same message, and event F may be a different message sent to the same destination. 
On[[c]]e strategy that an attacker might attempt would be to send massive numbers of copies of a 
suspicious but relatively innocuous message in the hope of overloading the security systems in 
place on the target network and then to send a more potentially dangerous message to the same 
destination with the hope that the more dangerous message would escape detection and analysis 
by the by then overloaded security systems. The approach described above would prevent such a 
strategy from being successful because only the first message of the series of identical messages 
would be analyzed before a message from other queues would be sent to the analysis fi*amework 
for analysis. - 

Please replace the paragraph beginning on page 42, line 12, with the following rewritten 
paragraph: 

-The communication protocol described above is advantageous because it enables the 
system that receives a request to communicate to determine that the requesting system is a 
system authorized to communicate with it by performing just a couple of non-computationally- 
intensive operations. The system that received the request to communicate need only find a 
random number, calculate a hash value, send the hash value to the requesting party, and then 
determine the hash value of a number r e c e ive din received in response to the hash value sent to 
the requesting party and insure there is an adequate match. By contrast, the requesting system 
must perform the computationally intensive task of finding a number that will yield a 
cryptographic hash value that matches the cryptographic hash value received from the system 
with which it wishes to communicate. As a result, even if an unauthorized party somehow 
obtained the information concerning the cryptographic hash function being used in the 
communication protocol, which is of a type sometimes called a hand shake, the would be 
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attacker would be limited by the computing power of the attacker's system to making only a 
limited number of successful communications to the target tracking system. For example, a 
typical system may be able to successfully send approximately 15 packets per minute to a target 
system using the above protocol. This number of packets would not be sufficient to affect a 
successful denial of service attack on a typical tracking system computer.- 

Please replace the paragraph beginning on page 43, line 9, with the following rewritten 
paragraph: 

-In addition to this strong protection against this denial of service attacks the 
communication protocol described above protects the tracking systems from other types of 
attacks by requiring that the would be attacker both know the communication protocol and have 
the cryptographic hash function being used as part of the communication protocol in the tracking 
systems installed in the particular administrative domain. - 
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